In one single image, establishment and mainstream media show their utter ignorance of security

The various branches of the establishment are frequently criticized for not understanding, or even caring about, the critically important fields of privacy and security. In just one image, the New York Post shows just how bad the situation is with this ignorance.

When I was in the European Parliament, I was frequently shocked at how badly decision-makers and policymakers understood the crucial issues of the 21st century: information, security, privacy (which in turn lead to innovation and growth). Rather, Members of the European Parliament would have e-mails printed for them by their secretaries and put in a pile on their desks, and they would therefore believe that they understood what the Internet was about.

Some decade ago, there was something akin to a riot on the Internet as the copyright industry tried to suppress the key “09-F9-11-02-9D-74-E3-5B-D8-41-56-C5-63-56-88-C0” from being discussed: this was a cryptographic key for access and playback control of Hollywood DVDs. Everybody who is familiar with the Internet understands the concept of publishing a key. It cannot be undone, and once you publish its secret, you’ve opened Pandora’s box.

A cryptographic key is usually published like above, in a sequence of hexadecimal digits, since that’s the secret of the key. This makes it different from a physical key, where the physical shape of the key is the crucial secret.

Now consider this story by the New York Post, which cries out in terror that a master key to the New York City utilities has leaked. Consider that this story has passed by many people on its way to publishing, all part of the narrative-creating establishment, and consider what their understanding of the most fundamental security must look like.

Yes, that’s the key being discussed right there, the “1620” key. The New York Post is crying out in terror that this master key is on the loose, and goes on to publish the full secret of the key, in gigantic format. From this point, anybody can trivially reproduce this key.

It’s reasonable to ask at what point an ignorance of security to this unbelievable level becomes criminal negligence.

The ignorance is not unlike the fiasco with Diebold voting machines, also about a decade ago. The voting machines were supposedly secure; they needed a key to access the memory card slots. Spare keys were for sale on the Diebold website, and were only sold to certified voting officials. But like any webshop, there were high-resolution photos of the keys to the voting machines right on that webshop, and those images could be (and were) used to create keys that could access the voting records.

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.

It really doesn’t matter whether NYPost knew what they were doing, and I’m not going to try to crawl into the head of the editor or whoever chose that key photo, regardless of who they work for, but I think it’s not outside the realm of plausibility to consider that it may have been intentional.

I think the important takeaway from here, is will it force the hand of NYC officials? I’m guessing it will.

Those of us that have been involved more on the breaching side of computer security understand the value of an act of intentional dissemination of a security flaw. Sometimes it’s the only way to get the people that can fix it to do something. Microsoft used to be notoriously lazy about patching exploits. Back when IE6 was vulnerable to a code-injection attack using JPEG images (yes, you could get IE to run arbitrary code at IE6’s privilege level by putting it in a malformed JPEG header) I did something similar. I released a visual studio add-on that allowed you to compile/link software into JPEG images, which could then be released onto an unsuspecting public. This made it *very easy* for someone with relatively little programming ability to use this exploit. I then released the Add-on on programming sites across the net. They’re mum on what drove them to finally patch it, but let’s just say it was shortly after I put that out to the world. Everyone was better for it because prior to that a whole lot of machines were extremely vulnerable. I could format a winME hard drive using a banner ad. Okay? This isn’t cool.

When someone publicly describes a security vulnerability in software, at least it’s theoretically possible for the software publisher to make a fix available quickly and hope that people will install the fix promptly.

How fast do you think it’s physically possible for the city of New York to change thousands of locks? And who gets to decide that “making the problem impossible to avoid” justifies making the problem much worse until all those locks get changed? Would you feel the same if someone had made keys available to everyone’s apartment, including your own?

I certainly would take exception to anyone having a master key to where I live, since I’ve lived in a building where the person who held those keys robbed me.

That being said, there’s a good chance that if the newspaper ran that, then people already knew about it and were likely making bump keys and such as it is, which means it needs to be fixed.

Bureaucracy being what it is, it would likely never get fixed otherwise, but you can be damned sure that once it dawns on them the level of breach, they’re going to mobilize a fair amount of resources to fix it.

There are two unsupported assertions in your last paragraph(*), but I realize that it’s often difficult for techies (of which I am one) to acknowledge that they don’t know much about the working of systems outside of their field.

(* I’m not even counting the second paragraph, which seems to be based on an assumption that anyone at the freaking New York Post gives a crap about the consequences of what they print. Based on no inside knowledge of journalism, but 13 years of reading the Post, I would say that that’s a stretch to say the least.)

I love when people make vague claims about unsupported assertions without naming them, particularly when they make their own.

As it happens, I’m pretty good at getting into places people don’t want me, whether they are protected digitally or mechanically, so I know a bit about physical security – not just digital.

Furthermore, all I said was that it *may* have been intentional. You act as though your 13 years of reading a newspaper means you know the staff. I think that’s silly to be so certain based on that, but then whatever.

Of course I don’t know the staff. I expressed an opinion, because the paper has a long history of doing outrageously stupid and offensive things and acting like they care more about hurting their political enemies than anything else. I’m sure they have some good people working there, but I would be surprised if they had enough influence to do something like this. But of course I don’t know— which is why I didn’t say something silly like “you can be damned sure.”

I’m sure your reading comprehension is just fine so you know I wasn’t making “vague claims”— you only said two things in that paragraph, so that’s obviously what I was talking about (“it would never get fixed otherwise” and “they’re going to mobilize a fair amount of resources to fix it”; I’m sure the latter is true *sooner or later*, but that’s a meaningless statement if you don’t acknowledge that it takes much longer to change thousands of locks than a browser patch). But you seem to be here to play debating games and brag about your ninja skills, rather than because you have any concern about what happens to anyone in New York, so whatever.

I’m sure it’s your opinion. I don’t know anything about you personally, and I’m not attacking you. I’m saying I don’t think you’re discussing this in a particularly serious way, and you’re throwing in fairly self-congratulatory anecdotes about your skills at every opportunity, so I don’t see the point of arguing further. Bye.

You know what, if you want an apology, here you go. I shouldn’t have gotten into a pissing match with you; I have no way to know why you write anything, I was just venting unnecessarily. I do find your general “oh it’ll all work out fine, that’s how these things go, I know because I know about security” attitude pretty annoying, but you’re not doing anyone any harm. I do hope that you’re right and that they fix the locks.

In case anyone was actually confused and thought that was supposed to be a direct quotation, I withdraw the quotation marks and add “this was the impression I got from the way you were talking about this”. And I repeat that my being annoyed by your attitude did not justify my hostility. OK? Feel free to get the last word now or whatever, I’m done.

You seem upset. Vaguely curious if you created an account just to troll me, like the last one did.

2 years ago

Brandon Walker

Lol, actually, you started the personal attacks, so i think everyone fails to see anything but hypocrisy in your complaint, and they would not need to know anything about the leak to make a bump key, but using the “format” or making copies are also not bump keys, so those statements were ignorant, than the fact that there are actually TONS of bump resistant locks, there are locks that don’t use pins at all, there are locks that have magnets incorporated into the key, there are locks with multiple pinned faces etc, all creating a bump resistant or bump proof lock.

The locks for those keys uses prins, and if they haven’t been updated lately (they haven’t), they aren’t bump resistant)

2 years ago

Brandon Walker

Lol except you were making personal attacks before hobs second post and he did not make any personal attack in his first, or in other words, you quite literally started the personal attacks, and your comment about bunp resistant locks had nothing to do with those specific locks, you simply said very few locks are truly bump resistant, which is false, as not only is there a literal plethora of bump resistant locks, there are locks that have yet to be defeated by any type of picking of bumping technique, so in summary both of your counterarguments are entirely false, and one is an outright lie.

Pro-tip: Whining on internet forums about how doubleplus-ungood the NYPost is won’t protect the people of New York. That ship already sailed. Nor is it – if your comments about their behavior are any indication – likely to change the behavior of that paper in the future.

Most of what you seem upset about is I didn’t criticize the NYPost enough for you. I don’t care. I am not your trained monkey. You’re more than welcome to criticize them in your own comments.

2 years ago

Robert Daggett

Don’t use words you don’t understand. A bump key works on any tumbler lock that is not bump resistant.

Wiki is not your friend. Get back to me when you have some experience with the subject.

2 years ago

Robert Daggett

“then people already knew about it and were likely making bump keys”
They were copying the keys, not making bump keys. You don’t need a bump key if you have the keyshape. What exactly qualified you as a locksmith?

I’m referring to prior to this article. Some people may have had access to an original that would facilitate proper copying, but that doesn’t preclude others from exploiting the leak as well, and one way to do that would be to make a bump key using the same template.

I never claimed to be a locksmith, but I do have quite a bit of experience defeating locks, nonetheless, and that includes making bump keys.

You need a hobby.

2 years ago

Robert Daggett

I’m referring to this article that’s what the rest of us want to talk about

I have a hobby. I’m a volunteer firefighter, it contributes more to society then arguing with people about subjects you don’t understand. We are discussing the article. I lost cut my own keys. Look it up. Unlike you I am not using a fake name sir

Cute. You vien attempt to rouse me has failed. Real men would be happy to die in a fire knowing it may save a life. I see how you diverted from the technical subject because your wrong. This has nothing to do with bump keys and we all know it. Sir

You are a fucking scumbag. “Die in a fire?” Holy shit, you need to die a slow, painful death from any number of humiliating complications. Suck on a tailpipe. Play in traffic. Pick something, go do it. What the New York Post did is gross negligence. They did not do it to “force a hand.” If they wanted an info-graphic then they should’ve used a fake key or blocked the bottom half of the key (or show it in a lock or ANYthing other than to give away a sensitive blueprint).

God damn, you are a worthless sack of wasted human skin. Go die in a fire? Really? Jesus I hope you get caught under burning timbers one day and that thought crosses your mind as you choke to death on smoke while these guys pull your worthless carcass out of the fire, and I hope it leaves you so physically scarred that you can be truly gender neutral and have a LEGITIMATE say (and not a narcissistic one) on issues. Worthless little punk…

There are thousands of threads about this key on public web forums dating back many years. It’s clear that nearly every person who has served in a public safety or maintenance capacity at some point has a personal copy or five. Anyone who was remotely interested in getting into these places could have gotten images or copies easily; all this publication has done is stirred up fear, uncertainty, and doubt about security. I’m hesitant to judge whether this is a good thing or not, but this much is certain: Anyone who had intended to use these keys for harm in the past could have – or almost certainly has – done so before.

So, you’re re-printing the key here, presumably with the reasoning that it’s already out there and the damage is already done? It sounds like you’re operating under the same logic as the people you’re criticizing.

And let’s not forget that keys are three dimensional objects, whereas pictures of keys are two dimensional. There’s a lot that a would-be key duplicator cannot get from this picture.

What could they not get? The only important part that can’t be gathered with a glance at one of these locks is the pin lengths, which they gave away, they wouldn’t even need to make a copy now because picking it would be so easy knowing where the shear line is.

Restricted keyways have been around for years, that would be the best way to keep unauthorized duplication to an absolute minimum. Someone was just too stupid to require them. Where I live, the local power company now uses a proprietary keyway for electric meter rooms, getting a copy of one of those keys is very difficult. You just don’t wander into Home Depot and have one cut.